News

US Companies Reveal Red Flag Cyber Vulnerability

A disturbing number of major U.S. retailers, industrial firms, government agencies and other organizations have been impacted in a recent onslaught of cyberbreaches that raise red flags regarding increasing vulnerability for consumers and businesses alike.

The cyber ambushes have exposed millions of consumer payment cards to fraud. Cyber criminals have employed numerous types of social engineering cons to infiltrate corporate computer systems and resell financial data on the Dark Web.

What is most aggravating regarding the attacks is that in the aftermath of the high-profile intrusions during the 2016 presidential election and the expanding ransomware attacks of 2017, there has been little reaction or forward movement in developing comprehensive offensive strategies.

Too many major U.S. institutions have been maintaining the status quo instead of researching and executing new technologies to protect critical financial and personal information from determined adversaries, whether criminal cybergangs or rogue nation states.

“U.S. companies and organizations are woefully underprepared to deal with modern attacks like this — and the problem is simply exacerbated by the amounts and access to personal data these companies and institutions store,” said Kevin O’Brien, CEO of GreatHorn.

The personal data stolen in past attacks enhances the efficacy of future attacks, he explained to the E-Commerce Times. Executive impersonation scams, for example, have risen 300 percent over the past year.

Orbitz and Under Armour

GreatHorn revealed that nearly one in three executives have fallen victim to these type of attacks, either by clicking links in suspicious emails or by having their names and emails spoofed and used in propagating future breaches. Travel website Orbitz on March 20 announced that credit card data belonging to 880,000 customers on a legacy platform might have been accessed by an attacker between Oct. 1 and Dec. 22, 2017, according to spokesperson David McNamee.

After bringing in a leading third-party forensic team and notifying law enforcement, Orbitz determined that the attacker might have accessed data for trips purchased between Jan. 1 and June 22, 2016, on its legacy site and purchases on its legacy partner platform for trips purchased from Jan. 1, 2016 to Dec. 22, 2017.

The compromised data was comprised of names, credit card numbers, dates of birth, email addresses, physical addresses and gender. The company did reveal how the attackers accessed the data. Orbitz has offered customers a year of free credit card monitoring in response.

Under Armour on March 29 announced that 150 million accounts using the MyFitnessPal food and nutrition app had been compromised due to an unauthorized third-party having gained access to user data sometime in February.

The breach, which was discovered on March 25, involved usernames, emails and hashed passwords, but not credit card, driver’s license or social security numbers. Under Armour called on data security firms and law enforcement to address the breach and has notified customers via email or using the app.

Boeing, Saks, Sears, Delta
Boeing in March was hit by a cyberattack that reportedly was a variant of the WannaCry ransomware. The attack impacted a North Charleston, South Carolina, production facility, according to The Seattle Times.

Boeing has not said whether the malware was WannaCry or any type of ransomware.

Despite the potential link to WannaCry in the Boeing case, and links to SamSam in a recent attack on the city of Atlanta, ransomware attacks actually have been on the decline as a cybercrime tactic as the demand for virtual currency has skyrocketed.

“Cryptomining is more profitable since people never know they are infected and work for the attacker longer,” noted Craig Williams, director of outreach at Cisco Talos.

“It’s also less likely to be pursued by law enforcement since it isn’t very destructive in nature,” he told the E-Commerce Times.

One of the most recent major breaches exposed the credit card data of 5 million customers of Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor, all subsidiaries of Hudson’s Bay Company.

A JokerStache syndicate on March 28 announced that it had 5 million stolen credit and debit cards for sale on the Dark Web, according to a post by Gemini Advisory, a cybersecurity firm.

Delta Air Lines and Sears Holdings on April 4 separately announced that they were the victims of a data breach at a customer service online chat platform called [24.7] a.i.

Sears said it was notified in mid-March about the incident, which involved access to credit card data of fewer than 100,000 customers between Sept. 27, 2017, and Oct. 12, 2017. However, customers using Sears-branded cards were not impacted. Sears said it immediately notified federal law enforcement, its banking partners and outside IT security firms, and that neither stores nor internal Sears systems were compromised.

Delta said it was notified by the same firm on March 28, and that certain payment data for a “small subset” of customers from Sept. 26, 2017, to Oct. 12, 2017, had been accessed. Federal law enforcement and outside cyberforensic teams were brought in to help investigate the incident. The airline launched a website, delta.com/response, to post updates.

Asleep at the Wheel
“While each incident is different, the overarching theme is poor cybersecurity hygiene, or fundamentals,” said Andrew Howard, CTO at Kudelski Security.

“None of these attacks appear to be overly sophisticated, but rather take advantage of mistakes and human error to gain access,” he told the E-Commerce Times.
A common thread across major companies is that no one has been thinking proactively across different threat vectors, observed Manoj Asnani, vice president of product and design at Balbix.

“If we expect to see the problem minimized at any time in the near future,” he told the E-Commerce Times, “enterprises are going to need to find a better way to cover all of their attack surfaces, and fix key issues ahead of the next breach happening.”

Samantha Keller (AKA Sam) is a published author, tech-blogger, event-planner and mother of three fabulous humans. Samantha has worked in the IT field for the last fifteen years, intertwining a freelance writing career along with technology sales, events and marketing. She began working for EnhancedTECH ten years ago after earning her Bachelor’s degree from UCLA and attending Fuller Seminary. She is a lover of kickboxing, extra-strong coffee, and Wolfpack football.Her regular blog columns feature upcoming tech trends, cybersecurity tips, and practical solutions geared towards enhancing your business through technology.